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Abstract. We consider the problem of logical data erasure, contrasting 
with physical erasure in the same way that end-to-end information flow 
control contrasts with access control. We present a semantic hierarchy 
for erasure policies, using a possibilistic knowledge-based semantics to 
define policy satisfaction such that there is an intuitively clear upper 
bound on what information an erasure policy permits to be retained. 
Our hierarchy allows a rich class of erasure policies to be expressed, 
taking account of the power of the attacker, how much information may 
be retained, and under what conditions it may be retained. While our 
main aim is to specify erasure policies, the semantic framework allows 
quite general information-flow policies to be formulated for a variety of 
semantic notions of secrecy. 



1 Introduction 

Erasing data can be difficult for many reasons. As an example, recent research 
on SSD-drives has shown that the low-level routines for erasing data often in- 
advertently leave data behind [53] ■ This is due to the fact that information on 
an SSD (in contrast to a more conventional magnetic hard drive) gets copied to 
various parts of memory in order to even out wear. The naive firmware sanitisa- 
tion routines do not have access to the movement-history of data, and so leave 
potentially large amounts of data behind. 

This paper is not focused on low-level erasure per se. The requirement that 
data is used but not retained is commonplace in many non hardware-specific 
scenarios. As an everyday example consider the credit card details provided by 
a user to a payment system. The expectation is that card details will be used to 
authorise payment, but will not be retained by the system once the transaction 
is complete. 

An erasure policy describes such a limited use of a piece of data. But what 
does it mean for a system to correctly erase some piece of data? One natural 
approach taken here is to view erasure as an information-flow concept - follow- 
ing [TJ. To erase something means that after the point of erasure there is no 
information flowing from the original data to observers of the system. This gives 
a natural generalisation of the low-level concept of physical erasure to what one 
might call logical erasure. Logical erasure specifies that a system behaves as if 
it has physically erased some data from the viewpoint of a particular observer. 
The observer viewpoint is more than just a way to model erasure in a multi-level 



security context (as in [7]). To understand the importance of the attacker view- 
point, consider a system which receives some data subject to an erasure policy. 
The system then receives a random key from a one-time pad and XORs it with 
the secret. The key is then overwritten with a constant. Does such a system erase 
the data? The answer, from an information-flow perspective, depends on what 
the observer (a.k.a. the attacker) can see/remember about the execution. An 
attacker who can see the exact final state of the system (including the encrypted 
data) and nothing more, cannot deduce anything about the subject data, and 
so we can conclude that it is erased for that attacker. But if the attacker could 
also observe the key that was provided, then the system is not erasing. Different 
situations may need to model different attacker powers. 

In practice the concept of erasure is a subtle one in which many dimensions 
play a role. This is analogous to the various "dimensions" of declassification 
|27j . In this paper we develop a semantic model for erasure which can account 
for different amounts of erasure, covering the situation where some but not 
necessarily all information about the subject is removed, and different varieties 
of conditional erasure, which describes both what is erased, and under what 
conditions. 

The contribution of this work is to identify (Section [5]) and formalise (Sec- 
tion|31) a hierarchy of increasingly expressive erasure policies which captures vari- 
ous dimensions of erasure. To do this we build on a new possibilistic information- 
flow model (Section |3]) which is parametcrised by (i) the subject of the informa- 
tion flow policy (e.g. the data to be erased), (ii) the attacker's observational 
power. This is done taking into account the facts that an attacker might be 
interested to learn, and the queries which he can or will be able to answer about 
the subject. 

This is a pre-print, extended version of the work which includes proofs. The 
final publication is available at www.springerlink.com. 

2 Erasure Case Studies 

We consider a series of examples of erasing systems which differ according to the 
way they answer the following questions: 

1. How much of the erasure subject is erased? 

2. Under which conditions is erasure performed? 

The examples are presented via simple imperative psudocode. We emphasise 
that the examples themselves are not intended to be realistic programs - they 
serve to motivate simply and intuitively various types of erasure policy that we 
will formalise in a more abstract setting in Section 01 

2.1 Total erasure 

Consider a ticket vending machine using credit cards as the payment method. A 
partial implementation, in simplified form, is shown in Listing 11.11 



get ( cc.n u m ber ) ; Line 1 inputs the card number; 

ch a rge ( t i c k et .cost , cc.number) ; line 2 executes the payment transac- 

log(current_time()); tion; line 3 writes the transaction time 

cc_number=n u 1 1 ; to a log for audit purposes; line 4 deletes 

Listing 1.1. Ticket vending machine, the card number- 
total and unconditional erasure This is an example of an erasing pro- 
gram: once line 4 is executed, the card 
number has been erased from the system. This statement can be refined further 
with respect to our original questions: 1) the system is totally erasing (no infor- 
mation about the card number is retained) and 2) erasure occurs unconditionally. 
since control flow always reaches line 4. 



2.2 Partial erasure 



Consider a variant of the vending machine (Listing II. 2[) which logs the last four 
digits of the card number of each transaction, enabling future confirmation of 
transactions in response to user queries. The difference to Listing [PI is in line 3, 
where additional data is written to the log. 



get ( cc.n umber) ; 

c h a rge ( t i c k e t _c o s t , cc.number); 
log(current_time() , Iast4(cc_number)); 
cc_n u m be r=n u 1 1 ; 

Listing 1.2. Ticket vending machine, partial and 
unconditional erasure 



With this change, line 4 no 
longer results in total erasure 
since, even after cc.number is 
overwritten, the last four dig- 
its of the card number are re- 
tained in the log. 



2.3 Low dependent erasure 

Consider a further elaboration of the vending machine example (Listing If .3[) 

which allows the user to choose whether the last four digits are retained. 

In line 3 the program ; ; : 

, , , . get ( cc.n umber) ; 

acquires the user choice, , , . . . ' . * 

^ ' c h a rge ( 1 1 c k e t _co s t , cc.number); 

then it either pro- get(choice); 
ceeds as ListingOor if choice= " Allow- 
as ListingCQJ accord- then log ( c u r re n t _t i m e ( ) , I a st 4 ( cc.n u m ber ) ) ; 
ing to the choice. Now else log ( c u r re n t _t i m e ( ) ) ; 
the question about cc_number=n u 1 1 ; 
how much informa- 
tion is erased has two 



Listing 1.3. Ticket vending machine, low dependent erasure 



different answers, depending on the second user input. Since this dependency is 
not related to the erasure subject itself, we call this low dependent erasure. 



2.4 High dependent erasure 

Suppose there is a brand of credit cards, StealthCard, which only allows termi- 
nals enforcing a strict confidentiality policy to be connected to their network. 



This requires a further refinement get (cc.number) ; 

of the program (Listing [L"4"]) . since ch a rge ( t i c ket _co st , cc.number); 

StealthCard users are not permit- if (cc.number is in S tea 1 1 h Ca rd ) 
ted a choice for the logging option. then log ( c u r re n t _t i m e ( ) ) ; 
At line 3 the credit card number is else get(choice); 
inspected and, if it is a StealthCard, if choice^" Allow'- 

the system proceeds like O the " lo g( current - time • 

„ . I a st 4 ( cc_n u m ber ) ) ; 

Compared to the previous case, , , , . . , n % 

, else log ( cu rrent.time () ) 

this example has an additional layer cc num b er=nu || ■ 

of dependency, since the amount of 

data to be erased is itself depen 

on the erasure subject. We rcf 

this as high dependent erasure 



data to be erased is itself dependent Listing 1.4. Ticket vending machine, high 
on the erasure subject. We refer to de P endent erasure 



3 An abstract model of information flow 

We formalise erasure policies as a particular class of information flow policies. In 
this section we define the basic building blocks for describing such policies. We 
consider trace-based (possibilistic) models of system behaviour and we interpret 
information flow policies over these models. We make the standard conservative 
assumption that the attacker has perfect knowledge of the system model. 

Our definitions are based directly on what an attacker can deduce about 
an erasure subject from observations of system behaviour. In this respect our 
model is close in spirit to Sutherland's multi-level security property of nonde- 
ducibilty [25]. However, we are not directly concerned with multi- level security 
and, in a number of ways, our model is more abstract than non-deducibility 
For example, McLean's criticism [21] of nondeducibility (that it fails to incorpo- 
rate an appropriate notion of causality) does not apply, since our notion of the 
"subject" of a policy is general enough to incorporate temporal dependency if 
required. On the other hand, our model is open to the criticism of nondeducibilty 
made by Wittbold and Johnson [3U] with regard to interactive environment be- 
haviours. Adapting our work using the approach of |30] (explicit modelling of 
user strategies) remains a subject for future work. A more radical departure from 
the current work, though still possibilistic, would be to take a process-calculus 
approach [T5] . 



3.1 Trace models 

The behavioural "atom" in our framework is the event (in our examples this will 
typically be an input (?i>) or output (Iv) but internal computation steps can be 
modelled in the same way). Traces, ranged over by s,t,sx,tx, etc, are finite or 
countably infinite sequences of events. We write t.e for the trace t extended with 
event e and we write s.t for the concatenation of traces s and t. In what follows 
we assume given some set T of traces. 



A system is considered to be a set S C T (the assumption is that S is the 
set of maximal traces of the system being modeled). Certain parts of system 
behaviour will be identified as the subject of our policies and we define these 
parts by a function <P : T — > D, for some set D (typically, <P will be a projection 
on traces). For a confidentiality property the subject might represent the secret 
that we are trying to protect (an input or a behaviour of a classified agent). For 
erasure the subject will be the input which is to be erased. 

Given a system S, we denote by <1>(S) the subset of D relevant for S: 

<P{S) = {<P{t)\t e S} 

We call this the subject domain of S. Let Sys(V) be the set of all systems with 
subject domain V. Our flow policies will be specific to systems with a given 
subject domain. 

3.2 Equivalence relations and partitions 

The essential component of a flow policy is a visibility policy which specifies 
how much an attacker should be allowed to learn about the subject of a system 
by observing its behaviour. Following a standard approach in the information 
flow literature - see, for example [19126] - we use equivalence relations for this 
purpose. A flow policy for systems in Sys(V) is R G ER(V), where ER(V) 
denotes the set of all equivalence relations on V. The intention is that attackers 
should not be able to distinguish between subjects which are equivalent according 
to R. An example is the "have the same last four digits" relation, specifying that 
the most an attacker should be allowed to learn is the last four digits of the credit 
card number (put another way, all cards with the same last four digits should 
look the same to the attacker). 

In what follows we make extensive use of two key, well known facts about 
equivalence relations: 

— The set of equivalence relations on V, ordered by inclusion of their defining 
sets of pairs, forms a complete lattice, with the identity relation (which we 
denote Idy) as the bottom element, and the total relation (which we denote 
Ally) as the top. 

— The set of equivalence relations on V is in one-one correspondence with the 
set of partitions of V, where each of the disjoint subsets making up a partition 
is an equivalence class of the corresponding equivalence relation. We write 
PT(V) for the set of all partitions of V. Given P G PT(V), we write £{P) 
for the corresponding equivalence relation: v\£(P)v2 iff 3A G P.v\,v 2 G X. 
In the other direction, given R G ER(V) and u£fwe write [v] R for the in- 
equivalence class of v: [v] R = {v' G V\v' R v}. We write [R] for the partition 
corresponding to R: [R] = {[v] R \v G V}. 

In the current context, the significance of i?i C R 2 is that i?i is more discriminat- 
ing - i.e., has smaller equivalence classes - than i?2- Hence, as visibility policies, 
Ri is more permissive than R 2 . The lattice operation of interest on ER(V) is 



meet, which is given by set intersection. Given a family of equivalence relations 
{Ri}i£i, we write their meet as Aie/ Ri (the least permissive equivalence relation 
which is nonetheless more permissive than each Ri). 

The order relation on partitions corresponding to subset inclusion on equiv- 
alence relations will be written d?ER, thus ;<er [R2} iff R\ C R 2 . We 
overload the above notation for meets of partitions in this isomorphic lattice: 

3.3 Attacker models and K-spaces 

As discussed in the introduction, whether or not a system satisfies a policy will 
depend on what is observable to the attacker. We specify an attacker model as 
an equivalence relation on traces, A G ER(T). Note that this is a passive notion 
of attacker - attackers can observe but not interact with the system. 

To compare what the attacker actually learns about the subject with what 
the visibility policy permits, we define, for each attacker observation O € [A], 
the corresponding knowledge set Ks(0) C V, which is the set of possible sub- 
ject values which the attacker can deduce from making a given observatior0: 
K s (0) = {<P(t)\t G ODS}. 

The K-space of A for S, denoted ICs(A), is the collection of all the attacker's 
possible (ie non-empty) knowledge sets when observing S: 

Ks(A) = {K s (0)\0 G [A],OnS#0} 

Lemma 1. Let S G Sys(V) and A G ER(V). Then the K-space of A for S 
covers V, by which we mean that every member of Ks{A) is non-empty and 
\JlCs(A) = V. 

From now on, for a given V, we use the term K-space to mean any collection of 
sets which covers V. 

In the special case that a system's behaviour is a function of the subject, 
each K-space will actually define an equivalence relation on V: 

Proposition 1. Say that S G Sys(V) is functional just when, for all t,t' G S, 
t^t' => $(t) ^ ${t'). In this case, for all A G ER(T), K, S {A) partitions V. 

When S is functional, the K-space ICs(A), being a partition, can be inter- 
preted as the equivalence relation £ (fCs(A)). So, in the functional case there is 
a straightforward way to compare a visibility policy with an attacker's K-space: 
we say that the policy R is satisfied just when R is more discriminating than 
this induced equivalence relation. Formally, when S is functional, S satisfies R 
for attacker A, written S \~a R, just when R C £ (lCs{A)) or, equivalently: 

S\- A RiS [R] ^kr)Cs(A) (1) 

We now consider how to extend this definition to the general case, in which a 
system has other inputs apart from the policy subject. 

3 A more reasonable but less conventional terminology would be to call this an uncer- 
tainty set. 



3.4 Comparing K-Spaces: facts and queries 

In general, a system's behaviour may depend on events which arc neither part of 
the policy subject nor visible to the attacker. In this case, the attacker's knowl- 
edge of the subject need not be deterministic, resulting in a K-space which is not 
a partition. This raises the question: when is one K-space "more discriminating" 
than another? 

Here we motivate a variety of orderings by considering some basic modes in 
which an attacker can use observations to make deductions about the subject of 
a system: 

Facts A fact F is just a set of values. A given knowledge set X confirms fact F 
just when X C F. Dually, X has uncertainty F when FCI. For example a 
fact of interest (to an attacker) might be the set of "Platinum" card numbers. 
In this case an observation might confirm to the attacker that a card is a 
Platinum card by also revealing exactly which platinum card it is. For a 
given K-space K we then say that 

— K can confirm F if there exists some X £ K such that X confirms F. 

— K can have uncertainty F if there exists some X £ K such that X has 
uncertainty F. 

Queries A query Q is also just a set of values. We say that a given knowledge 
set X answers query Q just when either XCQorXCV\Q. For a given 
K-space K we then say that 

— K will answer Q if for all X G K . X answers Q, and 

— K can answer Q if there exists some X £ K such that X answers Q. 

In a possibilistic setting it is natural to focus on those "secrets" which it is 
impossible for a given system to reveal, where revealing a secret could mean 
either confirming a fact or answering a query. Two of the four K-space properties 
defined above have an immediate significance for this notion of secrecy: 

— Say that S keeps fact F secret from attacker A iff there are no runs of S for 
which A's observation confirms F, i.e., iff: -^(ICs{A) can confirm F). 

— Say that S keeps query Q secret from attacker A iff there are no runs of S 
for which ^4's observation answers Q, i.e., iff: -i(ICs(A) can answer Q). 

The possibilistic secrecy significance of "has uncertainty" and "will answer" is 
not so clear. However, as we will show, we are able to define flow policies and a 
parameterized notion of policy satisfaction which behaves well with respect to 
all four properties. 

Using the ability of a K-space to confirm facts and answer queries, we can 
order systems in different ways, where a "smaller" K-space (ie one lower down 
in the ordering) allows the attacker to make more deductions (and so the system 
may be regarded as less secure). Define the following orderings between K-spaces: 

Upper: K\ K-x iff \IF.Ki can confirm F => K\ can confirm F. Note that 
K\ ^2 iff K 2 keeps more facts secret than K\. 



Lower: K\ K 2 iff \/F.K\ can have uncertainty F => K 2 can have uncertainty 
F. 

Convex (Egli-Milner): K 1 ^ EM K 2 iff K 1 dv K 2 A K x ^ L A" 2 . 

Can- Answer: K\ <ck AT 2 iff ^Q-K 2 can answer Q Ai can answer Q. Note 

that A'i ^ca A 2 iff A 2 keeps more queries secret than K\. 
Will- Answer: Ki dwA A 2 iff \/Q.K 2 will answer Q => K\ will answer Q. 

It is straightforward to verify that these orders are reflexive and transitive, but 
not anti-symmetric. The choice of names for the upper and lower orders is due 
to their correspondence with the powerdomain orderings |24) : 

Proposition 2. 

Ki < V K 2 iffyx 2 G K 2 3Xt G Ki.X t C X 2 
Ki db K2 iffVX-L G ATi.3X 2 G C X 2 

We can compare the K-space orders 1) unconditionally, 2) as in the case of 
policy satisfaction, when we are comparing a partition with a K-space, and, 3) 
when the K-spaces are both partitions, yielding the following results: 

Proposition 3. 1. ^ E m £ dh £ dwA and ^. EM £ du £ dcA- 
2. Additionally, when P is a partition: P dcA K => P dwA K (the reverse 

implication does not hold in general). 
3- dER, dEM, dh> and dwA all coincide on partitions. Furthermore, when Pi 

and P 2 are partitions: Pi dER Pi =>■ P\ d u Pi Pi dcA P2 (the reverse 

implications do not hold in general). 

These orderings give us a variety of ways to extend the definition of policy satis- 
faction from functional systems (Equation [lj to the general case. The choice will 
depend on the type of security condition (eg protection of facts versus protection 
of queries) which we wish to impose. 

4 The policy hierarchy 

We specify a three-level hierarchy of erasure policy types. All three types of 
policy use a structured collection of equivalence relations on the subject domain 
to define what information should be erased. A key design principle is that, 
whenever a policy permits part of the erasure subject to be retained, this should 
be explicit, by which we mean that it should be captured by the conjunction of 
the component equivalence relations. 

For each type of policy, we define a satisfaction relation, parameterized by a 
choice of K-space ordering o G {U,L, EM, CA, WA}. 

Assume a fixed policy subject function : T — >• D. Given a subset V C D, 
let Ty = {£ G T\$(t) G V}. Note that if S belongs to Sys{V) then S C T v . 



Type policies 



Type policies allow us to specify unconditional erasure, corresponding to the 
two examples shown in Section [2] in Listings 11.11 and 11.21 

A Type erasure policy is just a visibility policy. We write Type-O(T^) for the 
set of all Type policies for systems in Sys(y) (thus Type-OfV) = ER(V)). The 
definition of satisfaction for a given attacker model A and system S uses a K- 
space ordering (specified by parameter o) to generalise the satisfaction relation 
of Equation [T] to arbitrary (i.e., not-necessarily functional) systems: 



For functional systems note that, by Proposition [3l choosing o to be any one of 
EM, L or WA yields a notion of satisfaction equivalent to Equation [TJ while U 
and CA yield strictly weaker notions. 

Example. Consider the example in Listing 11.21 The subject domain is CC, the 
set of all credit card numbers, and (since the erasure subject is the initial input) 
the subject function is the first projection on traces. The policy we have in mind 
for this system is that it should erase all but the last four digits of the credit 
card number. We extend this example so that it uses a method call erased () to 
generate an explicit output event 77 (signalling that erasure should have taken 
place) followed by a dump of the program memory (thus revealing all retained 
information to a sufficiently strong attacker). 



where s, s' are sequences not including 77. Let S be the trace model for the above 
system. The required visibility policy is the equivalence relation L4 6 ER(CC) 
which equates any two credit card numbers sharing the same last four digits. An 
appropriate attacker model is the attacker who sees nothing before the erasure 
event and everything afterwards. Call this the simple erasure attacker, denoted 



AS = {(h,t 2 ) e T X T|3si,s 2 , s 3 . ti = S1.r7.s3 A t 2 = s 2 .ri.s 3 } 

Informally, it should be clear that, for each run of the system, AS will learn the 
last four digits of the credit card which was input, together with some other log 
data (the transaction time) which is independent of the card number. Thus the 
knowledge set on a run, for example, where the card number ends 7016, would 
be the set of all card numbers ending 7016. The K-space in this example will 
actually be exactly the partition [L4], hence S does indeed satisfy the specified 
policy: S h^ s L4 for all choices of o. From now on, we write just S \~a R to 



Sh° A RiS [R] ^ K S {A) 



Listing 1.5. Ticket vending machine, partial and 
unconditional erasure: extended 



get ( cc_n umber) ; 

c h a rge ( t i c k e t _c o s t ,cc_number); 
log(current_time() , Iast4(cc_number)); 
cc_n u m be r=n u 1 1 ; 
erased ( ) ; 
dump ( ) ; 



If we restrict attention to 
systems (such as this one) 
where each run starts by in- 
putting a credit card number 
and eventually outputs the 
erasure signal exactly once, 
we can assume a universe of 
traces T such that all t G T 
have the form t =? cc.s.rj.s' , 



AS: 



mean that it holds for all choices of ordering (or, equivalently, we can consider 
\~A to be shorthand for l~^ M , since EM is the strongest ordering). 



Type 1 policies 

Type 1 policies allow us to specify "low dependent" erasure (Section [31 List- 
ing |1.3[) . where different amounts may be erased on different runs, but where the 
erasure condition is independent of the erasure subject itself. 

For systems in Sys(y) the erasure condition is specified as a partition P £ 
PT(Ty). This is paired with a function / : P — > Type-O(y), which associates 
a Type policy with each element of the partition. Since the domain of / is 
determined by the choice of P, we use a dependent type notation to specify the 
set of all Type 1 policies: 



Because we want to allow only low dependency - i.e., the erasure condition must 
be independent of the erasure subject - we require that P is total for V, by 
which we mean: 



This means that knowing the value of the condition will not in itself rule out 
any possible subject values. To define policy satisfaction we use the components 
A G P to partition a system S into disjoint sub-systems S O X and check both 
that each sub-system is defined over the whole subject domain V (again, to 
ensure low dependency) and that it satisfies the Type policy for sub-domain 
X. So, for a Type 1 policy (P, /) G Type-l(V), an attacker model A, and system 
S G Sys(V), satisfaction is defined thus: 



Example. Consider the example of Listing If .31 extended with an erasure signal 
followed by a memory dump (as in our discussion of Type policies above). 
Let S be the system model for the extended program. We specify a conditional 
erasure policy where the condition depends solely on the user choice. The erasure 
condition can be formalised as the partition Ch G PT(T) with two parts, one 
for traces where the user answers "Allow" (which we abbreviate to a) and one 
for traces where he doesn't: Ch = {Y, Y}, where Y = {t G T\3s, s\, S2- t = 
s.?a.si.r].S2} and Y = T \ Y . For runs falling in the Y component, the intended 
visibility policy is L4, as in the Type example above. For all other runs, the 
intended policy is Alice , specifying complete erasure. The Type 1 policy is thus 
(Ch,g) where g : Ch -> ER(CC) is given by: 



Type-l(y) = (P : PT(T y ), P -»• ER(V)) 



VA G P.$(X) = V 



S h° A (P, /) iff VA G P.S X G Sys(V) A S x h° A f X 



where Sx 



s n x. 




Intersecting Y and Y, respectively, with the system model S gives disjoint sub- 
systems Sy (all the runs in which the user enters "Allow" to permit retention of 
the last four digits) and Sy (all the other runs). Since the user's erasure choice is 
input independently of the card number, it is easy to see that both sub-systems 
are in Sys(CC), that S Y I~as L4, and Sy h AS All. Thus S h AS (Ch,g). 

The following theorem establishes that our "explicitness" design principle is 
realised by Type 1 policies: 

Theorem 1. Let (P, f) 6 Type-l(V) and S G Sys(V) and A G ER(T). Let 
oe{U,L, EM, CA, WA}. If S (P, f) then: 

[ A (fX)]^„JC s (A) 
xeP 

Example. Consider instantiating the theorem to the policy (Ch,g) described 
above. Here the policy is built from the two equivalence relations All and L4; 
the theorem tells us that the knowledge of the attacker is bounded by the meet of 
these components (and hence nothing that is not an explicit part of the policy) 
i.e., All A L4, which is equivalent to just L4. 

Type 2 policies 

Type 2 policies are the most flexible policies we consider, allowing dependency 
on both the erasure subject and other properties of a run. 

Recall the motivating example from Section [5] (Listing 11.4)) in which credit 
card numbers in a particular set (the StealthCards) SC C CC are always erased, 
while the user is given some choice for other card numbers. In this example, the 
dependency of the policy on the erasure subject can be modelled by the partition 
HC = {SC, SC}. For each of these two cases, we can specify sub-policies which 
apply only to card numbers in the corresponding subsets. Since these sub-policies 
do not involve any further dependence on the erasure subject, they can both be 
formulated as Type 1 policies for their respective sub-domains. In general then, 
we define the Type 2 policies as follows: 

Type-2(V0 = (Q : PT(V),W : Q ->- Type-l(^)} 

To define satisfaction for Type 2 policies, we use the components W G Q 
to partition a system S into sub-systems (unlike the analogous situation with 
Type 1 policies, we cannot intersect S directly with W; instead, we intersect 
with T\y). To ensure that the only dependency on the erasure subject is that 
described by Q, we require that each sub-system S H Tw is defined over the 
whole of the subject sub-domain W . So, for a Type 2 policy (Q,g) G Type-2(V), 
an attacker model A, and system S G Sys(V), satisfaction is defined thus: 

S h° A (Q, g) iff W G Q.S W G Sys(W0 AS w ^°a9W 

where S\y — S n Tw ■ 

To state the appropriate analogue of Theorem [T] we need to form a conjunc- 
tion of all the component parts of a Type 2 policy: 



— Iii the worst case, the attacker will be able to observe which of the era- 
sure cases specified by Q contains the subject, hence we should conjoin the 
corresponding equivalence relation £(Q). 

— Each Type 1 sub-policy determines a worst case equivalence relation, as de- 
fined in Theorem[T] To conjoin these relations, we must first extend each one 
from its sub-domain to the whole domain, by appending a single additional 
equivalence class comprising all the "missing" elements: given W C V and 
R G ER(W), define i?t e ER(V) by ijt = RU Al\ v \w 

Theorem 2. Let (Q,g) G Type-2(V) and S G Sys(V) and A G ER(T). For any 
Type 1 policy (P, f), let R {PJ) = A XeP (f X). Let oe{U,L, EM, CA, WA}. Lf 
S (Q,9) then: 

[£(Q)A f\ R\ gW) ] < IC S (A) 

Example We consider a Type 2 policy satisfied by Listing H~4l namely (HC,/i) 
where HC is the partition into Stealth and non-Stealth cards (as above), and h 
is defined as follows. 

h(SC) = ({T sc }, Ax.Allsc) hi{Y) = 
/i(SC) = (Ch, hi) hi(Y) = All^ 

The term Tsc denotes the set of traces which input a Stealth card number as 
first action. As in the example of Type 1 policy above, Y is the set of (non- 
stealth) traces where the user gives permission ("Yes") to retain the last digits, 
Y is its complement (relative to the set of non-stealth traces), and Ch is the 
partition {Y, Y}. The term L4gjr denotes the restriction of LA to elements in SC. 
Instantiating Theorem [2] to this example tells us that the attacker knowledge is 
bounded by £ (HC) A Ah\j, c A L4i^ A Alll^, which is just L4^. 

4.1 Varying the attacker model 

The hierarchy deals with erasure policies independently of any particular at- 
tacker model. Here we make some brief remarks about modelling attackers. Let 
us take the example of the erasure notion studied in |17j where the systems are 
simple imperative programs involving 10 on public and secret channels. Then 
the implicit attacker model in that work is unable to observe any 10 events prior 
to the erasure point, and is able to observe just the public inputs and outputs 
thereafter. (We note that j!7j also considers a policy enforcement mechanism 
which uses a stronger, state-based non-interference property.) 

Now consider the example of the one-time pad described in the introduction, 
codified in Listing 11.61 Let system S be the set of traces modelling the possible 
runs of the program and let the subject be the first input in each trace. For the 
simple erasure attacker ^45 (Section [4]), unable to observe the key provided in 
line 2, the K-space will be {V} = [All], hence S Kas All. This is because the 
value of data in the output does not inform the attacker about the initial value. 



get ( data ) ; On the other hand, the attacker who can also ob- 

get ( key ) ; serve the key learns everything about the data from 

data := data XOR key ; its encrypted value0 So for this stronger attacker, 

key := null; using encryption to achieve erasure does not work, 

erased ( ) ; anc j indeed policy satisfaction fails for this partic- 

output(data) ; ular systcm . 

Listing 1.6. Key Erasure If the attacker is strengthened even further, we 

arrive at a point where no system will be able to 
satisfy the policy. Intuitively, if an attacker can see the erasure subject itself 
(or, more specifically, more of the erasure subject than the policy permits to be 
retained) no system will be able to satisfy the policy. In general, we say that a 
policy p with subject domain V (where p may be of any of Types 0,1,2) is weakly 
o-compatible with attacker model A iff there exists S € Sys(V) such that S \-° A p 
(we call this weak compatibility because it assumes that all S € Sys(V) are 
of interest but in general there will be additional constraints on the admissible 
systems). Clearly, to be helpful as a sanity check on policies we need something 
a little more constructive than this. For the special case of Type policies and 
the upper ordering we have the following characterisation: 

Lemma 2. R is weakly U -compatible with A iffMv G V30 G [-4]-H fl C $(0). 

Deriving analogues of this result (or at least sufficient conditions) of more general 
applicability remains a subject for further work. 

Finally, we note that, while our main aim has been to specify erasure poli- 
cies, by varying the attacker model appropriately, we can specify quite general 
information-flow properties, not just erasure policies. For example, by classifying 
events into High and Low and defining the attacker who sees only Low events, 
we can specify non-interference properties. 



5 Related work 

We consider related work both directly concerned with erasure and more gener- 
ally with knowledge based approaches to information flow policies. 

Erasure The information-flow perspective on erasure was introduced by Chong 
and Myers [7] and was studied in combination with confidentiality and declassi- 
fication. Their semantics is based on an adaptation of two-run noninterference 
definitions, and does not have a clear attacker model. They describe conditional 
erasure policies where the condition is independent of the data to be erased. 
Although this appears similar to Type 1 policies (restricted to total erasure), 
it is more accurately viewed as a form of Type policy in which the condition 
defines the point in the trace from which the attacker begins observation. 

4 Note, however, that we cannot model the fact that certain functions are not (eas- 
ily) invertible, so our attackers are always endowed with unbounded computational 
power. 



The present paper does not model the behaviour of the user who interacts 
with an erasing system. This was studied in |14j for one particular system and 
attacker model. We believe that it would be possible to extend the system model 
with a user-strategy parameter (see [30123123] which consider explicit models of 
user strategies). Neither do we consider here the verification or enforcement of 
erasure policies; for specific systems and attacker models this has been studied 
in a programming language context in [17 8 9 13 122] . 

Knowledge based approaches Our use of knowledge sets was inspired by 
Askarov and Sabclfcld's gradual release definitions [2]. This provides a clear 
attacker-oriented perspective on information-flow properties based on what an 
attacker can deduce about a secret after making observations. A number of 
recent papers have followed this approach to provide semantics for richer infor- 
mation flow properties, e.g. |4I5| . Our use of knowledge sets to build a K-space, 
thus generalising the use of equivalence relations/partitions, is new. The use of 
partitions in expressing a variety of information flow properties was studied in 
early work by Cohen [10] . The use of equivalence relations and more generally 
partial equivalence relations as models for information and information flow was 
studied in [H] and resp. [2d] , 

Recent work [3] uses an epistemic temporal logic as a specification language 
for information flow policies. Formulae are interpreted over trace-based models of 
programs in a simple sequential while language (without input actions) , together 
with an explicit observer defined via an observation function on traces. Our work 
looks very similar in spirit to [5] , though this requires further investigation, and 
it appears that our modelling capabilities are comparable. The use of temporal 
logic in [5] is attractive, for example because of the possibility of using off the 
shelf model-checking tools. However, our policy language allows a more intuitive 
reading and clear representation of the information leakage. 

Alur et al pQ, study preservation of secrecy under refinement. The informa- 
tion flow model of that work bears a number of similarities with the present 
work. Differences include a more concrete treatment of traces, and a more ab- 
stract treatment of secrets. As here, equivalence relations are used to model an 
attacker's observational power, while knowledge models the ability of an attacker 
to determine the value of trace predicates. Their core definition of secrecy co- 
incides with what we call secrecy of queries (viz., negation of "can answer"), 
although they do not consider counterparts to our other knowledge-based prop- 
erties. 

Abstract Non-interference Abstract Non-interference [16] has strong sim- 
ilarities with our use of K-spaces. In abstract non-interference, upper closure 
operators (uco's) are used to specify non-interference properties. The similari- 
ties with the current work become apparent when a uco is presented as a Moore 
family, which may be seen as a K-space closed under intersection. 

[16] starts by defining the intuitive notion of narrow abstract non-interference 
(NANI) parameterized by two upper closure operators r\ (specifying what the 
attacker can observe of low inputs) and p (ditto low outputs). A weakness of 



NANI is that it suffers from "deceptive flows", whereby a program failing to 
satisfy NANI might still be non-interfering. From our perspective, the deceptive 
flows problem arises because r\ fails to distinguish between what an attacker can 
observe of low inputs and what he should be allowed to deduce about them (i.e., 
everything). Since we specify the attacker model independently from the flow 
policy, the deceptive flows problem does not arise for us. 

The deceptive flows problem is addressed in [16] by defining a more general 
notion of abstract non-interference (ANI) which introduces a third uco parameter 
cf>. The definition of ANI adapts that of NANI by lifting the semantics of a 
program to an abstract version in which low inputs are abstracted by rj and high 
inputs by <f>. A potential criticism of this approach is that an intuitive reading is 
not clear, since it is based on an abstraction of the original program semantics. 
On the other hand, being based on Abstract Interpretation j!2lllj . abstract non- 
interference has the potential to leverage very well developed theory and static 
analysis algorithms for policy checking and enforcement. It would therefore be 
useful to explore the connections further and to attempt an analysis of the ANI 
definitions (see also additional variants in [5D]) relating them to more intuitive 
properties based on knowledge sets. A starting point could be [T5] which provides 
an alternative characterisation of NANI using equivalence relations. 

Provenance A recent abstract model of information provenance [B] is built 
on an information-flow foundation and has a number of similarities with our 
model, including a focus on an observer model as an equivalence relation, and a 
knowledge-based approach described in terms of queries that an observer can an- 
swer. Provenance is primarily concerned with a providing sufficient information 
to answer provenance-related questions. In secrecy and erasure one is concerned 
with not providing more than a certain amount. 

6 Conclusions and further work 

We have presented a rich, knowledge-based abstract framework for erasure pol- 
icy specification, taking into account both quantitative and conditional aspects 
of the problem. Our model includes an explicit representation of the attacker. 
The knowledge-based approach guarantees an intuitive understanding of what 
it means for an attacker to deduce some information about the secret, and for a 
policy to provide an upper bound to these deductions. 

Our work so far suggests a number of possible extensions. At this stage, the 
most relevant ones on the theoretical side are: 

— Develop a logic defined on traces, both to support policy definition and to 
give the basis for an enforcement mechanism (as is done in [3]). 

— Model multilevel erasure, based on the fact the attacker might perform obser- 
vations up-to a certain level in the security lattice. It would be interesting to 
investigate different classes of such attackers and to analyse their properties. 

— Generalise policy specifications to use K-spaces in place of equivalence rela- 
tions. This would allow specification of disjunctive policies such as "reveal 



the key or the ciphertext, but not both". Non-ER policies may also be more 
appropriate for protection of facts, rather than queries, since ER's are ef- 
fectively closed under complementation and so cannot reveal a fact without 
also revealing its negation (for example, we may be prepared to reveal "not 
HIV positive" to an insurance company, but not the negation of this fact). 

— Extend the scope of the approach along the following key dimensions (de- 
fined in the same spirit as p2T]fi 

What: Our model is possibilistic but it is well known that possibilistic se- 
curity guarantees can be very weak when non-determinism is resolved 
probabilistically (see the example in Section 5 of [H]). A probabilistic 
approach would be more expressive and provide stronger guarantees. 

When: Our policies support history-based erasure conditions but many 
scenarios require reasoning about the future ("erase this account in 3 
weeks"). This would require a richer semantic setting in which time is 
modelled more explicitly. 

Who: We do not explicitly model the user's behaviour but it is implicit 
in our possibilistic approach that the user behaves non-deterministically 
and, in particular, that later inputs are chosen independently of the 
erasure subject. Modelling user behaviour explicitly would allow us to 
relax this assumption (which is not realistic in all scenarios) and also to 
model active attackers. 

— Understand the interplay between erasure and cryptographic concepts. To 
make this possible some refinements of the theory are needed. Firstly, it 
would be natural to move to a probabilistic system model. Secondly, the 
present notion of knowledge assumes an attacker with computationally un- 
limited deductive power; instead we would need a notion of feasibly com- 
putable knowledge. 

We have focussed on characterising expressive erasure policies, but not on 
their verification for actual systems. As a step towards bridging this to more 
practical experiments in information erasure, it would be instructive to explore 
the connections to the rich policies expressible by the enforcement mechanism 
for Python programs we describe in our earlier work |13j . 
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A Proofs 



Lemma 3. Let I be a non-empty index set. Let {W{\i^i be a family of non- 
empty sets such that lJ igJ W, = V. Let {K^i^i and {K'^i^j be families of 
K-spaces, with each Ki,K[ covering Wi. Then, for o G {L, U, EM, CA, WA}: 

(Vi G LKi < IJ K ^o (J K 'i 

iel i£l 

Proof. We show the two interesting cases, CA and WA. 

— case CA. Assume Vi G I.Ki dicA K[ an d consider a query Qcy such that 
Uicj can answer Q. By definition this implies there exists a j <E I such 
that 3X' G K'j and either X' C Q orX'CV\Q. 

• Suppose X' C Q, then Q' = Wj C\Q is a query Kj can answer via X' . 
Since Kj ^ ca Kj , Kj can answer Q' as well, therefore there must be 
a X G Kj such that either X C Q' or X C Wj \Q' . If X C Q' then 
(Jig/ Ki can answer Q via X in Kj. Otherwise X C Wj \ Q' , but this 
means X C V \ Q therefore (Jig j Ki can answer Q via X in Kj . 

• Suppose X' <^V\Q, then Q' = Wj \ Q is a query Kj can answer via X' . 
For the same reason we explained previously, there must be a X G Kj 
such that either ICQ' or X C Wj \ Q' . If X C Q' then X CV\Q 
and U ieI Ki can answer Q via X in Kj. Otherwise X C Wj \ Q' , but 
this means ICQ therefore [J iGl Ki can answer Q via X in Kj . 

— case WA. Assume Vi G I.Ki diwA K'i an d consider a query Q C V such 
that IJ,j e7 K[ will answer Q. By definition this implies that VX' G Kj, either 
X' C Q or X' C V \ Q for all Kj in {K'^i^j. Let us consider one Kj of the 
family and define Q'j = QPtWj. Then we have VX' G Kj, either X' C Q'j or 
X' C Wj \ Q'j, therefore Q'j is a query K'j will answer. Since Kj ~^wa Kp 
Kj will answer Q'j as well, therefore X C Q'j or X C Wj \ Q'j must hold 
for all X G Kj. But this implies XC.QorXC.V\Qas well, and the 
statement holds for all Kj in {Ki}i e j, therefore {K{\i e i will answer Q. 

□ 

Lemma 4. Let {Pj}j £ j be a non-empty family of relations in ER(V) for some 
set V, and let R = f| iGJ P l . Then [R] < EM U 6/ [Pi]- 

Proof. Every element of [R] is of the form [v] R , every element of [J i£l [Pi] is 
of the form [v] p . for some i G I , and every choice of v and i generates such 
elements. It thus suffices to show that [v] R C [v] P . for all choices of v and i. 
This follows since R is a finer equivalence relation than each Pi . □ 

Lemma 5. Let P G PT(T V ), S G Sys(V) and A G ER(T). Then \Jxe[P] 
ICsnx(A) ^em)Cs(A). 

Proof. We show the lower and the upper ordering separately. 



1. \/X G [P]X S nx(A) ^ L 1C S (A): 

LetY e ICsnx(A). Then, for some O G [A] , Y = $(OnSnJ) andOnSnX 
is non-empty. LetY' = <P(Or\S). Then On S is non-empty (since OC\S C\X 
is non-empty), hence Y C Y' G /Cs(^4). 

2. VY G /C S (A).3X G [P].3Y' G fC Sn x(A).Y' C Y; 

Lei Y G /Cs(A). TTien, /or some O G L4], Y = <2>(0 n 5) and O n S is 
non-empty. 

Suppose, towards a contradiction, that O D S fl X = /or aZ/ X G [P], hence 
O n 5 n Ujf G [pj -X" = 0/ but [ p \ partitions T, so \Jxe[P] X = T D O D S, 
hence O fl S = 0, a contradiction. 

So let X e [P] with OnSDX non-empty, and let Y' = <P(0 nSTll). TTien 
fC7 and Y' G /C Sn x(^)- 

From 1 it follows that [JxelP] ^Snx(-^) ^s(^4) and from 2 it follows that 
UxelP]^snx(A) diu^s{A), thus: 

IJ ICsnx(A) < EM ICs(A) 

xe[P] 

A.l Proof of Therorem Q] 

By LcmmaEl Uxe[p] ^snx(^) ^em /C s (A). 

By assumption of policy satisfaction, [f X] ^ JCsnx {A) for all X G [P] ,with 
each ICsnx(A) covering V. 

So, by Lemma [3] 

U Pbo U K 

Snx(A) 

It then suffices to show that [Plxe[p](/ ^)] — em Uxg[p] [/ This is 
immediate by Lemma 0) □ 

Lemma 6. : Let {Rw}weQ be a partition-indexed family of equivalence rela- 
tions such that Rw G ER(W) for each W G Q. Then: 

1- AweQ R w = UweQ 
«■ t\weQ R w - £{Q) 

Proof. 1. Recall R w = Rw U Ally \w .Then, for all W in the partition Q, 
V(x, y) G Pjy either x £ W A y £ W orx^WAy^W. In fact, suppose 
x G W but y £ W, then (x,y) Rw because y $ W and (x,y) Ally\w 
because x £ V \ W , a contradiction. 

We now show f\weQ R w ^ UweQ R w ■ Consider (x, y) G AweQ R W Then 
3W G Q.x G W A y G W because of the previous result, therefore (x,y) G 
Rw c U We Q Rw- 



We now show AweQ R w — UweQ R w • Consider (x,y) G UwgQ Rw • Since 
VW, W € Q.W n W = 0, 3W G Q.(x, y) G therefore (x, y) G For 
oi/iers W' G Q.W 7^ W we We x ^ W'Aj/ ^ therefore (x, y) G B) w , . 
So we can conclude (x, y) G AweQ R W 

2. Consider (x,y) G Aweo R w- Since /\weQ R w = UweQ Rw and since 
VW,W G Q.Wn W = 0, 3!W G Q.(z,y) G R W - But R w <Z W x W and 
W X W C &2/ definition, therefore (x,y) G £{Q)- 

□ 



A. 2 Proof of Therorem [2] 

Recall the definition of T w = {te G W}. 

Let Pq be a partition of Ty denned as Pq = Uwe[Q] -^W - 

By Lemma||we have Ut w g[p q ] ^Srrzv (-4) ^em JCs(A). 

We then have W )} < a !CsnT w (A) for all TV G [-Pq] by assumption of 
policy satisfaction and Theorem Q] applied to all subsystems S fl 2V. 

ByLemma[6]wehave£:(g)AAvyGQ ii ( 9 w) =Aw £ Q i? ( 9 w) = UweQ R (gW)- 
To conclude the proof we only need \J WeQ [R( g w)] di Q UtvgPq ^snT w (A), 
which holds by Lemma [3] . □ 



